{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-25615", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-02-03T19:18:47.567Z", "datePublished": "2026-02-03T19:18:47.837Z", "dateUpdated": "2026-02-05T06:19:48.805Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Blesta", "vendor": "Blesta", "versions": [{"lessThan": "5.13.3", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-03T19:31:18.017Z"}, "references": [{"url": "https://www.blesta.com/2026/01/28/security-advisory/"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T20:54:51.760694Z", "id": "CVE-2026-25615", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T20:54:58.464Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2026/Feb/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-05T06:19:48.805Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2026/Feb/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-05T06:19:48.805Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25615", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-03T20:54:51.760694Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T20:54:55.411Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Blesta", "product": "Blesta", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "5.13.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.blesta.com/2026/01/28/security-advisory/"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-03T19:31:18.017Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25615", "state": "PUBLISHED", "dateUpdated": "2026-02-05T06:19:48.805Z", "dateReserved": "2026-02-03T19:18:47.567Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-03T19:18:47.837Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phillipsdata:blesta:*:*:*:*:*:*:*:*", "matchCriteriaId": "30701A29-97E4-4250-AEDA-442915CC0F42", "versionEndExcluding": "5.13.3", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668."}], "id": "CVE-2026-25615", "lastModified": "2026-02-13T21:26:32.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-02-03T20:15:59.077", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.blesta.com/2026/01/28/security-advisory/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2026/Feb/1"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:05:50.794976+00:00", "value": {"mitigation_remediation": ["Apply the latest Blesta release (5.13.3 or newer) to eliminate the object\u2011injection flaw.", "If an upgrade cannot be performed immediately, temporarily disable or remove any API endpoints or modules that accept serialized data from users until the fix is applied.", "Ensure that all incoming data is validated or strictly typed before deserialization, and replace any use of PHP\u2019s unserialize() with safer alternatives or whitelisting mechanisms."], "summary": {"action": "Patch soon", "impact": "Object injection enabling return on arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Blesta product from the vendor Blesta, specifically all releases in the 3.x, 4.x, and 5.x series prior to version 5.13.3. Users of these versions are at risk regardless of deployment size or geographic location.", "description_and_impact": "Blesta versions 3.x through 5.x before 5.13.3 suffer from the CORE-5668 object\u2011injection flaw, which permits an attacker to supply crafted serialized data that is unserialized by the application without proper validation. This vulnerability is classified as CWE\u2011502 and can lead to remote code execution, allowing the attacker to take full control over the affected system and compromise data confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 7.2 denotes a high severity, but the EPSS score being less than 1% indicates a low current exploitation probability and the vulnerability is not yet catalogued in the CISA KEV list. The likely attack vector is remote exploitation through the web interface or exposed APIs, as the flaw stems from deserializing untrusted input. While exploitation requires some application interaction, the lack of immediate exploitation evidence suggests that attackers would need to identify and target specific application instances that expose the vulnerable code path."}}}}, "created": "2026-02-04T12:05:08.990328+00:00", "title": "Object Injection Vulnerability in Blesta Versions 3.x to 5.x Before 5.13.3", "updated": "2026-04-18T00:15:31.783619+00:00", "vendors": ["blesta", "blesta$PRODUCT$blesta"]}